feat: use generic fog provider for external blobstore

chart/assets/operations/instance_groups/singleton-blobstore.yaml

@@ -13,7 +13,7 @@
 
 - type: replace
   path: /instance_groups/name=singleton-blobstore/jobs/name=blobstore/properties/blobstore/internal_access_rules?
-  value: [ "allow 10.0.0.0/8;","allow 172.16.0.0/12;", "allow 192.168.0.0/16;" , "allow 100.64.0.0/10;"]
+  value: [ "allow 10.0.0.0/8;","allow 172.16.0.0/12;", "allow 192.168.0.0/16;", "allow 100.64.0.0/10;"]
 - type: replace
   path: /instance_groups/name=singleton-blobstore/jobs/name=blobstore/properties/quarks?
   value:
@@ -50,4 +50,37 @@
 {{- range $bytes := .Files.Glob "assets/operations/pre_render_scripts/singleton-blobstore_*" }}
 {{ $bytes | toString }}
 {{- end }}
+
+{{- else }}{{/* .Values.features.blobstore.provider is *not* "singleton" */}}
+
+- type: remove
+  path: /instance_groups/name=singleton-blobstore
+
+# remove unnecessary variables for internal blobstore
+- type: remove
+  path: /variables/name=blobstore_admin_users_password
+
+- type: remove
+  path: /variables/name=blobstore_secure_link_secret
+
+- type: remove
+  path: /variables/name=blobstore_tls
+
+{{- $buckets := dict }}
+{{- $_ := set $buckets "buildpacks" "buildpack" }}
+{{- $_ := set $buckets "droplets" "droplet" }}
+{{- $_ := set $buckets "packages" "app_package" }}
+{{- $_ := set $buckets "resource_pool" "resource" }}
+
+{{- range $bucket, $key_name := $buckets }}
+  {{- include "_capi.removeProperty" $bucket }}
+
+  {{- $path := printf "%s.fog_connection" $bucket }}
+  {{- include "_capi.setProperty" (list $path "((fog_connection))") }}
+
+  {{- $key := printf "%s_directory_key" $key_name }}
+  {{- $path = printf "%s.%s" $bucket $key }}
+  {{- include "_capi.setProperty" (list $path (index $.Values.features.blobstore.fog $key)) }}
+{{- end }}
+
 {{- end }}

chart/templates/_capi.tpl

@@ -1,31 +1,57 @@
 {{- /*
 ==========================================================================================
-| _capi.setProperty $property $value
+| _capi.setProperty $property [$value]
 +-----------------------------------------------------------------------------------------
 | There are 4 CAPI jobs that all share the same cloud_controller_ng specs file,
 | and therefore potentially all use the same "cc" properties. This template will
 | set a property in all of the jobs, so there is a single location to keep track
 | of instance groups these jobs run in.
 |
+| If the property starts with "buildpacks" then it will only be set in the cloud
+| controller jobs (ng, worker, clock), because the other job(s) don't use/define
+| these properties.
+|
 | $property can use dotted path notation to specify nested properties,
 | e.g. "diego.foo" to set the "cc.diego.foo" property.
+|
+| If the $value is omitted, the property is removed from the manifest.
 ==========================================================================================
 */}}
 {{- define "_capi.setProperty" }}
-  {{- $property := index . 0 }}
-  {{- $value := index . 1 }}
+  {{- $params := . }}
+  {{- $property := index $params 0 }}
 
   {{- $ig := dict }}
   {{- $_ := set $ig "cloud_controller_ng"     "api"       }}
   {{- $_ := set $ig "cloud_controller_worker" "cc-worker" }}
   {{- $_ := set $ig "cloud_controller_clock"  "scheduler" }}
-  {{- $_ := set $ig "cc_deployment_updater"   "scheduler" }}
-  {{- /* XXX cc_route_syncer is not in cf-deployment; see CF-K8s-Networking */}}
-  {{- /* $_ := set $ig "cc_route_syncer" "???" */}}
+
+  {{- /* The buildpacks properties are only defined for the ng/worker/clock jobs */}}
+  {{- if not (hasPrefix "buildpacks" $property) }}
+    {{- $_ := set $ig "cc_deployment_updater"   "scheduler" }}
+    {{- /* XXX cc_route_syncer is not in cf-deployment; see CF-K8s-Networking */}}
+    {{- /* $_ := set $ig "cc_route_syncer" "???" */}}
+  {{- end }}
 
   {{- range $job, $instance_group := $ig }}
-- type: replace
-  path: /instance_groups/name={{ $instance_group }}/jobs/name={{ $job }}?/properties/cc/{{ $property | replace "." "/" }}
-  value: {{ $value | toJson }}
+- path: /instance_groups/name={{ $instance_group }}/jobs/name={{ $job }}?/properties/cc/{{ $property | replace "." "/" }}
+    {{- if lt (len $params) 2 }}
+  type: remove
+    {{- else }}
+  type: replace
+  value: {{ index $params 1 | toJson }}
+    {{- end }}
   {{- end }}
 {{- end }}
+
+{{- /*
+==========================================================================================
+| _capi.removeProperty $property
++-----------------------------------------------------------------------------------------
+| Alias for _capi.setProperty, just to make it clearer at the call site that this
+| is removing a property and not setting a value.
+==========================================================================================
+*/}}
+{{- define "_capi.removeProperty" }}
+  {{- include "_capi.setProperty" (list .) }}
+{{- end }}

chart/templates/_features.tpl

@@ -8,10 +8,10 @@
 */}}
 {{- define "_features.update" }}
   {{- /* Translate blobstore.provider feature into a proper boolean we can query in the conditions */}}
-  {{- if eq $.Values.features.blobstore.provider "s3" }}
-    {{- $_ := merge $.Values (dict "features" (dict "external_blobstore" (dict "enabled" true))) }}
-  {{- else }}
+  {{- if eq $.Values.features.blobstore.provider "singleton" }}
     {{- $_ := merge $.Values (dict "features" (dict "external_blobstore" (dict "enabled" false))) }}
+  {{- else }}
+    {{- $_ := merge $.Values (dict "features" (dict "external_blobstore" (dict "enabled" true))) }}
   {{- end}}
   {{- /* Fix routing_api to proper (per-scheduler) default when not overriden by user */}}
   {{- if kindIs "invalid" $.Values.features.routing_api.enabled }}

chart/templates/bosh_deployment.yaml

@@ -32,18 +32,6 @@ spec:
 {{- end }}
   ops:
 
-{{- if eq .Values.features.blobstore.provider "s3" }}
-# S3 blobstore operations
-  - name: {{ include "kubecf.ops-name" (dict "Path" "assets/use-external-blobstore.yml") }}
-    type: configmap
-  - name: {{ include "kubecf.ops-name" (dict "Path" "assets/use-s3-blobstore.yml") }}
-    type: configmap
-{{- if .Values.features.eirini.enabled }}
-  - name: {{ include "kubecf.ops-name" (dict "Path" "assets/configure-bits-service-s3.yml") }}
-    type: configmap
-{{- end }}
-{{- end }}
-
 # Instance group operations
 {{- range $path, $bytes := .Files.Glob "assets/operations/instance_groups/*" }}
   - name: {{ include "kubecf.ops-name" (dict "Path" $path) }}

chart/templates/fog-blobstore.yaml

@@ -0,0 +1,16 @@
+{{- include "_config.load" $ }}
+
+{{- if eq .Values.features.blobstore.provider "fog" }}
+apiVersion: "v1"
+kind: "Secret"
+type: Opaque
+metadata:
+  name: var-fog-connection
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- list . "api" | include "component.labels" | nindent 4 }}
+  annotations:
+    quarks.cloudfoundry.org/json-value: "true"
+stringData:
+  value: {{ .Values.features.blobstore.fog.connection | toJson | quote }}
+{{- end }}

chart/templates/ops.yaml

@@ -21,14 +21,6 @@ data:
 
 {{- $root := . }}
 
-{{- if eq .Values.features.blobstore.provider "s3" }}
-{{ include "kubecf.ops" (dict "Root" $root "Path" "assets/use-external-blobstore.yml") }}
-{{ include "kubecf.ops" (dict "Root" $root "Path" "assets/use-s3-blobstore.yml") }}
-{{- if .Values.features.eirini.enabled }}
-{{ include "kubecf.ops" (dict "Root" $root "Path" "assets/configure-bits-service-s3.yml") }}
-{{- end }}
-{{- end }}
-
 {{- range $path, $_ := .Files.Glob "assets/operations/instance_groups/*" }}
 {{ include "kubecf.ops" (dict "Root" $root "Path" $path) }}
 {{- end }}

chart/values.schema.yaml

@@ -251,8 +251,59 @@ properties:
   features:
     type: object
     properties:
-      # "blobstore" doesn't have an "enabled" property
-      blobstore: {}
+      # Note: "blobstore" doesn't have an "enabled" property
+      blobstore:
+        type: object
+        oneOf:
+        - properties:
+            provider: {enum: [singleton]}
+          required: [provider]
+          additionalProperties: false
+        - properties:
+            provider: {enum: [fog]}
+            fog:
+              type: object
+              properties:
+                app_package_directory_key: {type: string}
+                buildpack_directory_key: {type: string}
+                droplet_directory_key: {type: string}
+                resource_directory_key: {type: string}
+                connection:
+                  type: object
+                  oneOf:
+                  - properties:
+                      provider: {enum: [AWS]}
+                      aws_access_key_id: {type: string}
+                      aws_secret_access_key: {type: string}
+                      aws_signature_version: {type: string}
+                      endpoint: {type: string}
+                      # path_style is not supported by bits_service
+                      path_style: {type: boolean}
+                      region: {type: string}
+                    required: [provider, aws_access_key_id, aws_secret_access_key]
+                    additionalProperties: false
+                  - properties:
+                      provider: {enum: [Google]}
+                      google_storage_access_key_id: {type: string}
+                      google_storage_secret_access_key: {type: string}
+                    required: [provider, google_storage_access_key_id, google_storage_secret_access_key]
+                    additionalProperties: false
+                  - properties:
+                      provider: {enum: [AzureRM]}
+                      azure_storage_access_key: {type: string}
+                      azure_storage_account_name: {type: string}
+                      environment: {type: string}
+                    required: [provider, environment, azure_storage_account_name, azure_storage_access_key]
+                    additionalProperties: false
+              required:
+              - app_package_directory_key
+              - buildpack_directory_key
+              - droplet_directory_key
+              - resource_directory_key
+              - connection
+              additionalProperties: false
+          required: [provider, fog]
+          additionalProperties: false
 
       memory_limits:
         # should "null" be allowed too?